Transcript Chapter 10
Lecture 11 Implementing Information Security Project Asst.Prof.Supakorn Kungpisdan, Ph.D. [email protected] NETE4630 Advanced Network Security and Implementation Learning Objectives Explain how an organization’s information security blueprint becomes a project plan Discuss the many organizational considerations that a project plan must address Demonstrate the significance of the project manager’s role in the success of an information security project Illustrate the need for professional project management for complex projects Follow technical strategies and models for implementing a project plan Identify the nontechnical problems that organizations face in times of rapid change 2 NETE4630 Advanced Network Security and Implementation Introduction SecSDLC implementation phase is accomplished through changing configuration and operation of organization’s information systems Implementation includes changes to procedures, people, hardware, software, and data Organization translates blueprint for information security into a concrete project plan 3 Project Management Body of Knowledge Areas NETE4630 Advanced Network Security and Implementation 4 An IT Project Methodology NETE4630 Advanced Network Security and Implementation 5 NETE4630 Advanced Network Security and Implementation Information Security Project Management Once organization’s vision and objectives are understood, process for creating project plan can be defined Major steps in executing project plan are: Planning the project Supervising tasks and action steps Wrapping up Each organization must determine its own project management methodology for IT and information security projects 6 NETE4630 Advanced Network Security and Implementation Developing the Project Plan Creation of project plan can be done using work breakdown structure (WBS) Major project tasks in WBS are work to be accomplished; individuals assigned; start and end dates; amount of effort required; estimated capital and noncapital expenses; and identification of dependencies between/among tasks Each major WBS task is further divided into smaller tasks or specific action steps 7 NETE4630 Advanced Network Security and Implementation Project Planning Considerations As project plan is developed, adding detail is not always straightforward Special considerations include financial, priority, time and schedule, staff, procurement, organizational feasibility, and training 8 NETE4630 Advanced Network Security and Implementation Financial Considerations No matter what information security needs exist, the amount of effort that can be expended depends on funds available Cost benefit analysis must be verified prior to development of project plan Both public and private organizations have budgetary constraints, though of a different nature To justify an amount budgeted for a security project at either public or for-profit organizations, it may be useful to benchmark expenses of similar organizations 9 NETE4630 Advanced Network Security and Implementation Priority Considerations In general, the most important information security controls should be scheduled first Implementation of controls is guided by prioritization of threats and value of threatened information assets 10 NETE4630 Advanced Network Security and Implementation Time and Scheduling Considerations Time impacts dozens of points in the development of a project plan, including: Time to order, receive, install, and configure security control Time to train the users Time to realize return on investment of control 11 NETE4630 Advanced Network Security and Implementation Staffing Considerations Lack of enough qualified, trained, and available personnel constrains project plan Experienced staff is often needed to implement available technologies and develop and implement policies and training programs 12 NETE4630 Advanced Network Security and Implementation Procurement Considerations IT and information security planners must consider acquisition of goods and services Many constraints on selection process for equipment and services in most organizations, specifically in selection of service vendors or products from manufacturers/suppliers These constraints may eliminate a technology from realm of possibilities 13 NETE4630 Advanced Network Security and Implementation Organizational Feasibility Considerations Policies require time to develop; new technologies require time to be installed, configured, and tested Employees need training on new policies and technology, and how new information security program affects their working lives Changes should be transparent to system users unless the new technology is intended to change procedures (e.g., requiring additional authentication or verification) 14 NETE4630 Advanced Network Security and Implementation Training and Indoctrination Considerations Size of organization and normal conduct of business may preclude a single large training program on new security procedures/technologies Thus, organization should conduct phased-in or pilot approach to implementation 15 NETE4630 Advanced Network Security and Implementation Scope Considerations Project scope: concerns boundaries of time and efforthours needed to deliver planned features and quality level of project deliverables In the case of information security, project plans should not attempt to implement the entire security system at one time 16 NETE4630 Advanced Network Security and Implementation The Need for Project Management Project management requires a unique set of skills and thorough understanding of a broad body of specialized knowledge Most information security projects require a trained project manager (a CISO) or skilled IT manager versed in project management techniques 17 NETE4630 Advanced Network Security and Implementation Supervised Implementation Some organizations may designate champion from general management community of interest to supervise implementation of information security project plan An alternative is to designate senior IT manager or CIO to lead implementation Optimal solution is to designate a suitable person from information security community of interest It is up to each organization to find the most suitable leadership for a successful project implementation 18 NETE4630 Advanced Network Security and Implementation Executing the Plan Negative feedback ensures project progress is measured periodically Measured results compared against expected results When significant deviation occurs, corrective action taken Often, project manager can adjust one of three parameters for task being corrected: effort and money allocated; scheduling impact; quality or quantity of deliverable 19 NETE4630 Advanced Network Security and Implementation 20 NETE4630 Advanced Network Security and Implementation Project Wrap-up Project wrap-up is usually handled as procedural task and assigned to mid-level IT or information security manager Collect documentation, finalize status reports, and deliver final report and presentation at wrap-up meeting Goal of wrap-up is to resolve any pending issues, critique overall project effort, and draw conclusions about how to improve process 21 NETE4630 Advanced Network Security and Implementation Technical Topics of Implementation Some parts of implementation process are technical in nature, dealing with application of technology Others are not, dealing instead with human interface to technical systems 22 NETE4630 Advanced Network Security and Implementation Conversion Strategies As components of new security system are planned, provisions must be made for changeover from previous method of performing task to new method Four basic approaches: Direct changeover Phased implementation Pilot implementation Parallel operations 23 NETE4630 Advanced Network Security and Implementation The Bull’s-Eye Model Proven method for prioritizing program of complex change Issues addressed from general to specific; focus is on systematic solutions and not individual problems Relies on process of evaluating project plans in progression through four layers: policies, networks, systems, applications 24 NETE4630 Advanced Network Security and Implementation Followed by assessment and remediation of the security of the organization’s applications 25 NETE4630 Advanced Network Security and Implementation To Outsource or Not Just as some organizations outsource IT operations, organizations can outsource part or all of information security programs Due to complex nature of outsourcing, it’s advisable to hire best outsourcing specialists and retain best attorneys possible to negotiate and verify legal and technical intricacies 26 NETE4630 Advanced Network Security and Implementation Technology Governance and Change Control Technology governance: complex process an organization uses to manage impact and costs from technology implementation, innovation, and obsolescence By managing the process of change, organization can improve communication; enhance coordination; reduce unintended consequences; improve quality of service; and ensure groups are complying with policies 27 NETE4630 Advanced Network Security and Implementation The Culture of Change Management Prospect of change can cause employees to build up resistance to change The stress of change can increase the probability of mistakes or create vulnerabilities Resistance to change can be lowered by building resilience for change Lewin change model: unfreezing, moving, refreezing 28 NETE4630 Advanced Network Security and Implementation Reducing Resistance to Change from the Start The more ingrained the previous methods and behaviors, the more difficult the change Best to improve interaction between affected members of organization and project planners in early project phases Three-step process for project managers: communicate, educate, and involve 29 NETE4630 Advanced Network Security and Implementation Developing a Culture that Supports Change Ideal organization fosters resilience to change Resilience: organization has come to expect change as a necessary part of organizational culture, and embracing change is more productive than fighting it To develop such a culture, organization must successfully accomplish many projects that require change 30 NETE4630 Advanced Network Security and Implementation Summary Moving from security blueprint to project plan Organizational considerations addressed by project plan Project manager’s role in success of an information security project Technical strategies and models for implementing project plan Nontechnical problems that organizations face in times of rapid change 31